Default security settings
Sunday, 18 February 2007, michuk
What is the easiest way to get a bunch of unforgettable moments with your Windows-powered computer? Simply do nothing! Here you have some detailed instructions for that:
- Install the Windows OS (version doesn’t matter) or better let your computer company which sold you the hardware do it for you (they are professionals!)
- Connect to the Internet (big “e” icon next to the “Start” menu).
- Surf the favorite websites for a while.
- Download some e-mail using Outlook Express (the other icon next to big “e”).
- Don’t install any applications like a firewall or antivirus software – you are just a regular user, so don’t mess with it, it’s evil. Some of your friends installed it and now their computers work twice as slow as before. You’ve been warned.
- Avoid all so called “security patches” (whatever they are). Your system has been installed by a professional so there is no reason to mess with the settings - you can only break things. They say Windows is secure anyway, so why bother with the patches?
- Remember that you should perform all your actions as the Administrator (the default login). Well, whatever, you probably do it anyway, unaware of this fact.
- After a few days (or weeks if you’re lucky) call your IT friend and complain that “your computer doesn’t work”. If he asks what happened, say the truth (”I did nothing”). When he says he can’t help, call him a loser (he’s a computer engineer so he should know solutions, right?) and call the service.
- Do not panic when they say nothing can be done. Reinstall your OS or pay them to do it and start all over again. This time it will surely go better!
Sounds dramatic? Perhaps a little unrealistic? But wait… isn’t it what Microsoft delivers as the default settings recommended for unaware home computer users? Is it possible that the default configuration of the most popular operating system created by the most powerful IT company in the history is so insecure?? How can it be, that before connecting to the Internet, one needs to install multiple software packages just not to get hacked or infected with malware in a couple of minutes? Finally, how is it possible that hobbyists who develop Debian, Fedora or OpenBSD managed to produce systems secure by design and a professional IT company couldn’t achieve even a reasonable level of security for so many years? Honestly, it’s one of the greatest mysteries of our days…
So, how do others do it?
What’s the difference between the security policy of Microsoft compared to GNU/Linux and even better, BSD systems? It’s the defaults, idiot! Technologically, both systems can provide a similar level of security, actually. The difference is that most GNU/Linux distros make it much easier to have a secure OS by providing reasonable default settings, usually secure enough for home computer users. Here are just a few examples to illustrate what I am talking about:
- Firewall is installed and configured by default – all unused ports are blocked, which makes it a lot harder for malicious software to damage our OS,
- Forcing the user to log in using an unprivileged account – this protects us from accidentally installing a virus or other type of malware software. If we don’t have the permission to do it, apps we run (which may have security holes) do not have this permission either,
- Easy installation of complex security patches, not only to the kernel of the OS but for all installed applications (and the apps tend to have many more holes than the kernel),
- Promoting the best apps for a task, not the ones created by some friendly company. This helps to develop a healthy competition, even Redhat uses Novell’s software (Evolution) and vice-versa. It’s the power of open source and free software. It’s the user who benefits the most.
Saying all this, I have to admit that I realize there is an ever-lasting conflict between security and usability. Every restriction (like having to log in as root in order to install some app) reflects negatively on the user experience. On the other hand however - can we call a system which crashes a few weeks after the installation a usable one? Even the Microsoft guys seem to start realizing it. The new version of their OS - the infamous Vista - is going to have many more restrictions in the default install (or at least the public betas suggest so). I hope that my point about Windows security will become irrelevant by then.
Propagate this post
Subscribe to RSS feed for this article!
5 Comments
- A hyperlink: <a href="polishlinux.org">GNU/Linux for everyone!</a>,
- Strong text: <strong>Strong text</strong>,
- Italic text: <em>italic text</em>,
- Strike: <strike>
strike</strike>, - Code: <code>
printf("hello world");</code>, - Block quote: <blockquote>Block quote</blockquote>
Or install those security patches, get a decent firewall / anti-virus software, and enjoy windows!
Don’t get me wrong, I use Linux (Ubuntu Feisty Fawn) as much as I do windows but problems because of doing nothing isn’t really a reason to switch…
I have to agree on your point number 5. Anti Virus Software really is a pain in the neck. But if I don’t install it, my PC might get a virus.
This article contains some good points but I’d say the conclusions you’ve made are somewhat simplified because you didn’t care to give an accurate analysis of how Linux can become as secure as Linux people want it to be.
The fallacy of some of the points you made in the article lies herein - stating that (any) Linux (distro) is secure out-of-the-box is wrong because:
“What’s the difference between the security policy of Microsoft compared to GNU/Linux and even better, BSD systems? It’s the defaults, idiot!”
I’m not an idiot but I’m suggesting that the defaults in Linux distros aren’t always optimized for best security.
It depends on which distro you’re referring to.
Many distros have tons of services up’n runnin by default. Not only are they consuming precious RAM, but some of them are known to have had (or having) security issues.
And if Linux were so secure out-of-the-box, why are there tides of how-to’s on the internet providing the user valuable information on how to harden your linux-box?
What’s the difference between this:
http://www.markusjansson.net/exp.html
and this:
http://www.puschitz.com/SecuringLinux.shtml
The articles are probably equally long and equally elaborate.
My point is, there’s no such thing as a secure OS. OS security is not static. I would definitely put my trust on a WinXP machine with sp2 installed and FW + AV software installed because windows users in general know by now that these actions are mandatory in order to secure their system, than an Ubuntu without firewall and a user that believes in the mantra - “Linux is secure because it’s Linux and I don’t have to do a darn thing to make it more secure! Hey, it’s a Linux!”.
And why are there tons of security applications (snort, tripwire, rkhunter, chkrootkit, aide, selinux, grsecurity, apparmor etc etc) if Linux distro “X” is so much more secure than Windows? And have a look at secunia.org and browse for any Linux distro and you’ll notice that the security advisories for those are not really rare.
Next:
“Firewall is installed and configured by default”
Not true. Again, it depends on which distro you’re referring to. Security focused distros such as Fedora will ask you during the installation whether or not you would like to activate the fw/ip-tables, but it’s not activated per default. *buntu doesn’t even ask if you want to use a firewall, and even if you opt to install a FW after the installation has finished, it will not always start with the boot. How secure is that, thinking that you’re running a FW when you’re not. I know a Slackware based distro, NetSecl, that doesn’t even ask if you want a FW or not - it’s activated by default. Kudos to the developer.
So it really depends on *which* linux distro, not linux distros *in general* when you make a generic statement about firewall based security.
“Forcing the user to log in using an unprivileged account”
Yup, again it depends on the distro. In some, you’re not even encouraged to create an unprivileged account after the installation is done. In Linspire, you’re Root all the way.
“Easy installation of complex security patches, not only to the kernel of the OS but for all installed applications (and the apps tend to have many more holes than the kernel”
And blindly installing all patches will never introduce new bugs and security holes into your system? My impression is that even for Linux, it’s not generally recommended to immediately install all “bleeding” patches since there’s no guarantee that the patches will indeed benefit your system.
For example, upgrading the kernel can sometimes introduce annoying instability issues to your system.
Believe it or not, I am an avid linux user and love the concept of gratis software to everybody and more importantly, the implementation of fine grained security some distros offer to the user, but I wouldn’t dare to recommend any generic linux distro out there to a potential Windows convert by saying stuff like “linux is secure because it’s linux!”. Because that simply isn’t true. It’s way more complicated than that.
I use deepfreeze. and i don’t get any problems.
Windows security is really bad because, today, it decided that my internet connection was insecure, so Windows Firewall just cut it off. It refused to allow me to access the internet, and then I just checked it as an exception, to allow internet access through that connection, and it worked just fine. That’s one of those problems with Windows, it decides that something should be done and it does it, without telling you and it takes forever to fix it.